Cfscript queries? #7

clint317 opened this Issue Jan 3, 2013 · 1 comment


None yet
2 participants

clint317 commented Jan 3, 2013

Any chance of including scans for scripted queries?:

q = new Query(datasource=mydatasource);
"select col1, col2, #col3#
from #schema#.tblname
where fee = :qpFa
and foo = :qpLa
and fum = '#so#'"
q.addParam(name="qpFa", value="#val1#", cfsqltype="cf_sql_varchar");
q.addParam(name="qpLa", value="#val2#", cfsqltype="cf_sql_varchar");


boughtonp commented Jan 5, 2013

Not a big one - this isn't a simple thing to add.

The current scanner relies on two things that script queries can't guarantee:

  • Only needs to look for hashes to identify potential user-supplied variables.
  • Queries are clearly terminated; it just needs to look for </cfquery> to find the end.

Neither of these are the case with the script syntax, and even a rudimentary implementation would require a significant amount of work.

Since I don't work with scripted queries myself, there's no incentive for me to spend that amount of time on something I wouldn't use.

Of course, if anyone wants to have a go and send in a pull request that'd be fine, or if anyone wanted to sponsor the development, that's also an option, but both of those would need to come with a big disclaimer that the functionality would be limited, and probably wouldn't cope with, for example:

sql = "select stuff ...";
if (something) sql &= "...";
q.setSQL( sql );
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment